Hi,
I’m in trouble with block specific TDL.
I realised just with a Layer7 Filter like
^.+(.ru|.ro).*$
It block for example kaspersky.ru but it seems the the loading of internet pages slow generally down.
Can anyone explain a more efficient way to block TDLs with microtik?
Thanks
Andi
This filter is going to have so many false positives, I’d be almost surprised if the internet would be usable.
I don’t know what exactly are you trying to do and how foolproof you want it to be, but simple starting point, if clients use your router as dns resolver, could be:
/ip dns static
add address=127.0.0.1 regexp="\\.(ru|ro)\$"
It’s very easy to get around it, all you need is to use different resolver. If that’s a problem, you could redirect all dns queries to your router, which is generally not a nice thing to do, but if it’s your company network or something, then why not. It would still be possible to access those TLDs if someone knew the address, but if you’d want to block that too, you’d be moving somewhere between hard and impossible.
Layer7 is not for URLs, it checks ALL THE PACKETS. it means it will check for such patterns even in any other traffic, webpage content, mail content (anything not encrypted). This is a very bad idea.
DNS is a much better approach, like the above poster suggested.
Thanks for the answers,
I’ve begin to test you suggestion with regexp=“.*.(ru|ro|cn|kp|kr|bg|vn)”.
The first impression is, it work very well. Now I will extend it step for step.
Thanks
Andi
I would recomment to read the suggestion more carefully and not arbitrarily skip some characters from it (like \ and $).
What you are doing now is going to have false positives just like your original experiment.
Also you need to ask yourself if your network is going to be better by just arbitrary blocking some TLD, but that is a different topic.
(you probably associate TLD with country and some countries with “bad things”, but in reality the relation is not that strict)
[/quote]
I would recomment to read the suggestion more carefully and not arbitrarily skip some characters from it (like \ and $).
What you are doing now is going to have false positives just like your original experiment.[/quote]
Thanks for the tip. But I have problems with the notafication.
A point stand for any Charakter
The backslash make the origin symbol
. = Any char
. = .
The $ means that the chars before must be found at the end.
.ru$ should be .ru at the end of the domain.
But it the is no Effekt, of i use it. What’s wrong?
Is there a good faq site?
[/quote]
Also you need to ask yourself if your network is going to be better by just arbitrary blocking some TLD, but that is a different topic.
(you probably associate TLD with country and some countries with “bad things”, but in reality the relation is not that strict)[/quote]
You are right. Not all Russians, North Koreans, what ever are bad or do bad things.
But I speak not there language, I’ve never use a page with this tdl.
But I see a lot of phishing mails with links from this tdl. So it is a simple thing to prevent the users in my network from this danger without have some limitations.
Thanks
Andi
Remember that dns is cached everywhere. So if you block something, it will only affect new requests. If you resolved some hostname previously and it’s still in local cache, no new request will be sent until its ttl expires.